News

Video Surveillance DVRs Exposed by Hard Coded Password

The security of devices that are internet accessible has become more and more critical in recent years. Recently cheap unsecured webcams have come under fire after many such devices were exposed by the Shodan search engine. Now as many as 46000 users of digital video recorders (DVRs) manufactured by Zhuhai RaySharp Technology may actually be making their property less secure, with it coming to light that the Chinese manufacturer has been using hard-coded unchangeable passwords for the highest user privileges in their software.

The vulnerability was discovered by security researchers from vulnerability intelligence firm Risk Based Security (RBS), who examined the software that the DVRs’ interface runs on. RaySharp’s DVR products have a web interface through which a user can view the camera feeds, manage settings and recordings and operate any pan or zoom features on the cameras. These web interfaces all run on a Linux OS based firmware, which on examination of the CGI scripts that manage the user authentication of the web interface a routine was found that checks to ensure the user-supplied username is “root” and the password is “519070”. Using these credentials to log into the web interface would provide full system access.

Using hard-coded passwords for small-scale systems used to be an accepted practice, where physical access to the system would generally be required regardless. Such things are now considered to be unacceptable by most, with many vendors developing secure systems and working to ensure vulnerabilities that do pop up are patched. That RaySharp still use hard-coded root passwords would be bad enough, but the Chinese firm also manufacture DVR products and provide firmware for a number of other companies worldwide with RBS researchers finding that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender and LOREX Technology, contain the same hard-coded root password. Another CGI script found in RaySharp firmware listed 55 vendors that apparently use the same firmware, so the impact could be much greater.

For those in possession of a DVR system from Raysharp or one of the other affected firms, RBS researchers chose to release information on the vulnerability, so that they can check for themselves whether their system possesses the issue. They recommend that any DVR that uses the username and password combination of root and 519070 should not be accessible on the internet and if access is required, it should be done by first logging into a VPN.

With the recent revelation that many webcams had been unwittingly exposed publicly online, it is likely that the same may occur for these DVRs. Hopefully, those with vulnerable DVR systems will discover the issue and take precautionary steps to avoid unwittingly sabotaging their own efforts to make their property or possessions safer.

Alexander Neil

Disqus Comments Loading...

Recent Posts

Phil Spencer Is Against Expansions That Are “Manipulative” and Cut From Base Games

Phil Spencer has spoken out against what he calls "manipulative expansions"—additional content derived from material…

15 hours ago

Razer Launches USB 4 Dock for Gaming and Productivity

Razer has introduced the USB 4 Dock, a high-performance accessory designed to combine ultra-fast data…

18 hours ago

RTX 50 Will Seize the Whole Market Starting in December, Says GPU Cooling Supplier

A major supplier of GPU cooling components has indicated that we could see the arrival…

18 hours ago

MSI MEG X870E GODLIKE Motherboard Hits Stores for $1,099

MSI first unveiled its top-tier AM5 motherboard, the MEG X870E GODLIKE, in August this year.…

19 hours ago

Anker SOLIX C1000 Portable Power Station

80% UltraFast Recharging in 43 Minutes: Be ready for adventure in 43 minutes (100% in…

23 hours ago

ASUS TUF Gaming FX707VI 17.3″ Full HD 144Hz Gaming Laptop

Powered by Intel's 13th Generation i7-13620H 10 Core Processor Dedicated NVIDIA GeForce RTX 4070 (140…

23 hours ago